From 083194857ee9770b160035e2a3d59491abd1454b Mon Sep 17 00:00:00 2001
From: Matt Peel <mattpeel@silverstripe.com>
Date: Thu, 9 Jan 2014 17:12:47 +1300
Subject: [PATCH 1/2] =?UTF-8?q?Allow=20=E2=80=98ADMIN=E2=80=99=20and=20?=
 =?UTF-8?q?=E2=80=98CMS=5FACCESS=5FLeftAndMain=E2=80=99=20access=20to=20CM?=
 =?UTF-8?q?S.=20Fixes=20CWPBUG-113.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously, only the global ‘ADMIN’ permission was allowing users to bypass the
stricter Permission check. We also need to allow the ‘CMS_ACCESS_LeftAndMain’
permission to bypass this check, as otherwise a user who is in a Group with the
‘Access to all CMS sections’ permission set (which only sets the
CMS_ACCESS_LeftAndMain permission code and no others) would be denied access to
the CMS for that sub site.
---
 code/extensions/LeftAndMainSubsites.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/code/extensions/LeftAndMainSubsites.php b/code/extensions/LeftAndMainSubsites.php
index 7a1fb69..dd4fc20 100644
--- a/code/extensions/LeftAndMainSubsites.php
+++ b/code/extensions/LeftAndMainSubsites.php
@@ -165,10 +165,16 @@ class LeftAndMainSubsites extends Extension {
 	function canAccess() {
 		// Admin can access everything, no point in checking.
 		$member = Member::currentUser();
-		if($member && Permission::checkMember($member, 'ADMIN')) return true;
+		if($member &&
+		(
+			Permission::checkMember($member, 'ADMIN') || // 'Full administrative rights' in SecurityAdmin
+			Permission::checkMember($member, 'CMS_ACCESS_LeftAndMain') // 'Access to all CMS sections' in SecurityAdmin
+		)) {
+			return true;
+		}
 
 		// Check if we have access to current section on the current subsite.
-		$accessibleSites = $this->owner->sectionSites($member);
+		$accessibleSites = $this->owner->sectionSites(true, "Main site", $member);
 		if ($accessibleSites->count() && $accessibleSites->find('ID', Subsite::currentSubsiteID())) {
 			// Current section can be accessed on the current site, all good.
 			return true;

From fb5d791444f2d0be4bb28ce0fffc32064599d7f0 Mon Sep 17 00:00:00 2001
From: Matt Peel <mattpeel@silverstripe.com>
Date: Fri, 10 Jan 2014 09:31:44 +1300
Subject: [PATCH 2/2] =?UTF-8?q?BUGFIX:=20permissions=20to=20check=20the=20?=
 =?UTF-8?q?=E2=80=98CMS=5FACCESS=5FLeftAndMain=E2=80=99=20global=20permiss?=
 =?UTF-8?q?ion.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

‘CMS_ACCESS_LeftAndMain’ is used by the PermissionCheckboxSetField to allow
applicable Members to access all CMS sections. There are then further
permissions to restrict the Members (e.g. ‘CMS_ACCESS_LeftAndMain’ will give you
access to the ‘Pages’ section, but you still need the ‘Edit any page’ permission
to actually edit anything).

This patch ensures that the subsites module follows those permissions, and
doesn’t unnecessarily deny permission to legitimate users.
---
 code/extensions/FileSubsites.php | 2 +-
 code/model/Subsite.php           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/code/extensions/FileSubsites.php b/code/extensions/FileSubsites.php
index 0c5a438..6c898df 100644
--- a/code/extensions/FileSubsites.php
+++ b/code/extensions/FileSubsites.php
@@ -113,7 +113,7 @@ class FileSubsites extends DataExtension {
 			return true;
 		} else {
 			Session::set('SubsiteID', $this->owner->SubsiteID);
-			$access = Permission::check('CMS_ACCESS_AssetAdmin');
+			$access = Permission::check(array('CMS_ACCESS_AssetAdmin', 'CMS_ACCESS_LeftAndMain'));
 			Session::set('SubsiteID', $subsiteID);
 
 			return $access;
diff --git a/code/model/Subsite.php b/code/model/Subsite.php
index aa19bae..5be9c62 100644
--- a/code/model/Subsite.php
+++ b/code/model/Subsite.php
@@ -308,7 +308,7 @@ class Subsite extends DataObject implements PermissionProvider {
 			->leftJoin('Group_Subsites', "\"Group_Subsites\".\"SubsiteID\" = \"Subsite\".\"ID\"")
 			->innerJoin('Group', "\"Group\".\"ID\" = \"Group_Subsites\".\"GroupID\" OR \"Group\".\"AccessAllSubsites\" = 1")
 			->innerJoin('Group_Members', "\"Group_Members\".\"GroupID\"=\"Group\".\"ID\" AND \"Group_Members\".\"MemberID\" = $member->ID")
-			->innerJoin('Permission', "\"Group\".\"ID\"=\"Permission\".\"GroupID\" AND \"Permission\".\"Code\" IN ($SQL_codes, 'ADMIN')");
+			->innerJoin('Permission', "\"Group\".\"ID\"=\"Permission\".\"GroupID\" AND \"Permission\".\"Code\" IN ($SQL_codes, 'CMS_ACCESS_LeftAndMain', 'ADMIN')");
 
 		if(!$subsites) $subsites = new ArrayList();
 
@@ -319,7 +319,7 @@ class Subsite extends DataObject implements PermissionProvider {
 			->innerJoin('Group_Members', "\"Group_Members\".\"GroupID\"=\"Group\".\"ID\" AND \"Group_Members\".\"MemberID\" = $member->ID")
 			->innerJoin('Group_Roles', "\"Group_Roles\".\"GroupID\"=\"Group\".\"ID\"")
 			->innerJoin('PermissionRole', "\"Group_Roles\".\"PermissionRoleID\"=\"PermissionRole\".\"ID\"")
-			->innerJoin('PermissionRoleCode', "\"PermissionRole\".\"ID\"=\"PermissionRoleCode\".\"RoleID\" AND \"PermissionRoleCode\".\"Code\" IN ($SQL_codes, 'ADMIN')");
+			->innerJoin('PermissionRoleCode', "\"PermissionRole\".\"ID\"=\"PermissionRoleCode\".\"RoleID\" AND \"PermissionRoleCode\".\"Code\" IN ($SQL_codes, 'CMS_ACCESS_LeftAndMain', 'ADMIN')");
 
 		if(!$subsites && $rolesSubsites) return $rolesSubsites;